WebKit powers all iOS web browsers and Safari, so possible targets are iPhones, iPads, and Macs which could all be tricked into running unauthorized code.” “Since the vulnerability exists in Apple’s HTML rendering software (WebKit). “An attacker could lure a potential victim to a specially crafted website or use malvertising to compromise a vulnerable system by exploiting this vulnerability,” Malwarebytes said in a blog post today. While a patch offered for older devices may seem unimportant, cybercriminals are particularly fond of older unpatched technology, especially if the vulnerability gives them complete control and the ability to gain access to other systems and services. Even so, he said, anyone with one of the older devices should update as soon as possible. The fact that the issue affects that older group of devices - and not newer models - means that there are relatively few devices at risk, Gold noted. The vulnerabilities affect the iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) and computers running older macOS versions. “The issue is that if a web page is constructed in a certain way, it can cause code to execute on the device outside of the normal containment and effectively create a malware situation on the device that could compromise data, contacts, location, insert malicious SW, etc.,” said Jack Gold, principal analyst at J. One advantage Apple has is longer update support-avoiding zero-day exploits in the first place is ideal, but at least Apple can roll out updates promptly, even to older devices.The software flaws are listed in the Common Vulnerabilities and Exposures (CVE) database, a system funded by a division of the US Department of Homeland Security (DHS) to a ensure public disclosure of security vulnerabilities and exposures. Apple still sees its fair share of exploitable bugs, even in its silicon. We might hear about more Android vulnerabilities, but that's because Android is an open-source platform. These flaws are the sixth and seventh zero-days patched by Apple so far this year. That means simply visiting a malicious website on an unpatched device could be enough to get you in trouble.Īpple says these flaws are being actively exploited and were reported by anonymous security researchers. This bug could also allow arbitrary code execution, and while the WebKit engine doesn't have the pervasive system access of the kernel, it is a web component. So, even third-party browsers like Chrome and Firefox offer no reprieve. Coincidentally, that's the only engine Apple allows on the iPhone. This too is an out-of-bounds write vulnerability, but it's a flaw in the WebKit browser engine at the heart of Apple's Safari browser. The second vulnerability is CVE-2022-32893. A vulnerability here allows malware to execute code with the same high privilege level to completely take over the device. It's an out-of-bounds write vulnerability in the operating system kernel, a low-level framework that has access to all parts of the system. The first flaw is tracked as CVE-2022-32894. You can see the update notice for iPhone below. Even Apple's recently discontinued 7th gen iPod Touch gets in on the fun. However, all iPhone models from the 6s onward are affected, as are all models of the iPad Pro, as well as the iPad Air 2, the 5th Gen iPad, the iPad Mini 4, and all later models in these lines. If you're on an older version of macOS, you are not vulnerable to this particular issue. The updates address the same pair of vulnerabilities on both mobile and desktop platforms. The update addresses a pair of zero-day vulnerabilities in Apple's software, meaning they are already being used in the wild to exploit devices.Īpple macOS Monterey has been updated to v12.5.1, and iOS is now on v15.6.1. Apple has announced an emergency patch for iPhones, iPads, and macOS computers, an increasingly common event. Anyone with an iPhone in their pocket or a Mac on their desk should be hitting that update button today.
0 Comments
Leave a Reply. |